Re: [Mipshop] Key derivation keys for draft-ietf-mipshop-handover-key
Greg Daley <Greg.Daley@eng.monash.edu.au> Wed, 25 July 2007 14:47 UTC
Return-path: <mipshop-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IDi9c-0006Tg-3B; Wed, 25 Jul 2007 10:47:56 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IDi9a-0006Nn-Nu for mipshop@ietf.org; Wed, 25 Jul 2007 10:47:54 -0400
Received: from kenny.its.monash.edu.au ([130.194.13.164]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IDi9Z-0000aW-Vw for mipshop@ietf.org; Wed, 25 Jul 2007 10:47:54 -0400
Received: from moe.its.monash.edu.au ([130.194.13.88]) by kenny.its.monash.edu.au (Sun Java System Messaging Server 6.2-4.03 (built Sep 22 2005)) with ESMTP id <0JLQ00AU8P3S3320@kenny.its.monash.edu.au> for mipshop@ietf.org; Thu, 26 Jul 2007 00:47:52 +1000 (EST)
Received: from moe.its.monash.edu.au (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with ESMTP id 6E0A9AB542; Thu, 26 Jul 2007 00:47:52 +1000 (EST)
Received: from monash.edu.au (dollet.its.monash.edu.au [130.194.11.236]) by moe.its.monash.edu.au (Postfix) with ESMTP id 46C264FB0A; Thu, 26 Jul 2007 00:47:52 +1000 (EST)
Received: from [76.200.71.33] by mail-store-2.its.monash.edu.au (mshttpd); Wed, 25 Jul 2007 09:47:51 -0500
Date: Wed, 25 Jul 2007 09:47:51 -0500
From: Greg Daley <Greg.Daley@eng.monash.edu.au>
Subject: Re: [Mipshop] Key derivation keys for draft-ietf-mipshop-handover-key
In-reply-to: <f5860b321f815.1f815f5860b32@monash.edu.au>
To: Greg Daley <Greg.Daley@eng.monash.edu.au>
Message-id: <f597e8de193b2.193b2f597e8de@monash.edu.au>
MIME-version: 1.0
X-Mailer: iPlanet Messenger Express 5.2 HotFix 2.12 (built May 22 2006)
Content-type: text/plain; charset="us-ascii"
Content-language: en
Content-transfer-encoding: 7bit
Content-disposition: inline
X-Accept-Language: en
Priority: normal
References: <f5860b321f815.1f815f5860b32@monash.edu.au>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 36c793b20164cfe75332aa66ddb21196
Cc: mipshop@ietf.org, kempf@docomolabs-usa.com
X-BeenThere: mipshop@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: mipshop.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mipshop>, <mailto:mipshop-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mipshop@ietf.org>
List-Help: <mailto:mipshop-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mipshop>, <mailto:mipshop-request@ietf.org?subject=subscribe>
Errors-To: mipshop-bounces@ietf.org
Hi James, et al. please note, I have sent a more complete version of this e-mail to the list. Sorry for the klutziness. Greg ----- Original Message ----- From: Greg Daley <Greg.Daley@eng.monash.edu.au> Date: Wednesday, July 25, 2007 8:42 am Subject: [Mipshop] Key derivation keys for draft-ietf-mipshop-handover-key To: mipshop@ietf.org Cc: kempf@docomolabs-usa.com > > I made a comment at the mike yesterday concerned about the requirement > to use an additional (non-CGA) public/private keypair in the > handover-keys draft. > > The comment I made was based on misunderstanding the issues > presented in > Rajeev's presentation. > > Now I have had the chance to go through the meat of James' earlier > postabout these keys, and realize that the new keys would be > exclusivelygenerated for key derivation, and would not require any > bulk data > encryption using assymmetric cryptography. > > > I think this is a very good idea, in that it allows the key- > derivation keys > to be limited in lifetime, without affecting the stability or security > of the CGA. > > The lifetime of any public key which is used in cryptography should be > limited both by the number of key deriving encryption operations they > perform, and an absolute lifetime, in order to prevent cryptanalysis. > > > Having the router and host autonomously generate a shorter lived > key-derivation keypair can be made to provide significant security > without causing undue additional computation. > This is because the key can be used and reused for key derivations > with many different hosts and only discarded when it is worn out or > old. > > The cost is that the key-derivation key information (algorithm, public > key, etc) would have to be included in messages between the host > and router > before the keys could be derived, and additional information would > need to > be provided in the encrypted block of the Handover Key option. > > > Note that it is important to ensure that the encypted key derivations > themselves are not used in replay attacks, especially as the keys for > the encryption of the symmetric key information are no longer the CGA > private keys. > > This requires that information tying the sender's CGA public key to > theencrypted block. > > Here is my view of the protocol: > > > Legend > > N_n_i Nonce number (i) from node (n) > > T_n_i Timestamp number (i) from node (n) > > CGAOPT_n CGA option for node (n) > > KDKOPT_n Key Derivation Keying Option for node (n) > Contains: > information about key algorithm > public key > public key identifier (perhaps implicit, SHA-1 of > public key) > > SIGNED_n signature using the CGA private key of (n) > > h Host > > r Router > > > RS: Signed_h ( h,All Routers, N_r_1, T_r_1, KDKOPT_h, > CGAOPT_h ) > > RA: > > > > There is an assumption that the information in the KDK option is > valid for a period where the subsequent messages key derivation > exchanges are to be sent. > > Either this validity time can be included explicitly in the KDK option > itself, or there can be a reasonable assumption provided, e.g.: > > A node only sends a KDK option containing information valid for at > least30 minutes ( or however long the original SEND message > containing the > option is valid). > > > > _______________________________________________ > Mipshop mailing list > Mipshop@ietf.org > https://www1.ietf.org/mailman/listinfo/mipshop > _______________________________________________ Mipshop mailing list Mipshop@ietf.org https://www1.ietf.org/mailman/listinfo/mipshop